rick@fgritter.com
|
| Posted: 05/18/2002, 2:20 PM |
|
If you ask for this file in the web browser, it will offer to download or open on the spot. (eg, www.anysite.com/db_mysql.inc). Does this present a risk from accomplished hackers? Anybody know?
|
|
|
 |
Brent
|
| Posted: 05/18/2002, 3:13 PM |
|
This is a minor security leak and I had advised YS to rename the suffix to .PHP or .ASP
etc. so people can't view it. (They did this with CCS) You can change your server
configuration to prevent *.inc files from being accessible for display. Or you
can rename it to db_mysql.php or db_mysql.asp and change the include statement
accordingly. You should also move this file to a directory that is above the root
directory webserver. Example.
From: /apache/apache group/htdocs/myapp/include
To: /apache/apache group/include
Browser's can't acces above htdocs directory, but your webserver can. Also secure
the directory so no one else can get at it.
|
|
|
|
DaveRexel
|
| Posted: 05/18/2002, 3:36 PM |
|
What are you using? CC or CCS?
in CCS i have this include
--------
include(RelativePath . "/db_mysql.php");
--------
That's perfectly OK
in CC this file has the .inc suffix but your database login/password info is set and passed in common.php not db_mysql.inc
In both cases your database account information is in executable php files and are not security liabilities under normal circumstances.
I do agree with Brent that this file should anyway be renamed in CC as well.
|
|
|
|
rick@fgritter.com
|
| Posted: 05/22/2002, 9:31 AM |
|
You were detailed and informative.
|
|
|
|
|
